Exclude/Bypass MFA for Azure AD joined Devices

Question

Exclude/Bypass MFA for Azure AD joined Devices

MS Techie 2,751

i have win10 Multisession VM which is Azure AD joined .

We have MFA enabled .

Now whenever any user tries to access https://portal.azure.com or https://portal.office.com , then he has to go through MFA process.

We want to exclude MFA for Azure VM , which are Azure AD joined, so that if a user is logging into portal.office.com from this Azure VM (which is Azure AD joined) , then it should only ask for password and not ask for 2nd level of authentication . It should basically consider the AAD joined Azure VM as first level of authentication and then ask only for password.
How to achieve it ?

2) My Azure VM, which is Azure AD joined is not marked as compliant , in the All Devices section under Azure AD. How do i make my Azure VM compliant ?

3 answers

Your answer

Answer 1

Azdamus 1

Hi MSTechie,

We would need to know a bit more information on what type of MFA deployment you have - Is it Per-User MFA or Conditional Access MFA ?

If you have PerUser MFA - Make sure the account authenticating does not have the policy Enforced requiring MFA at every sign-in.

If it's Conditional Access MFA, inside your Conditional Access Policy that requests MFA prompt to authenticate the user you can go to conditions and use the "Filter for Devices" options to exclude devices with Trust Type - Azure AD Joined.

MS Techie 2,751 Reputation points

2022-11-13T16:25:39.64+00:00

Mine is conditional access. How can I make my azure device compliant, so that it gets trusted

Even though i set the above filter as Exclude devices with TrustType = Azure AD joined, still, it is asking for MFA for azure portal access from the same VM which is Azure AD joined.

Answer 2

Azdamus 1

In order for that "Compliant" property to turn green, the Azure VMs you are using must be enrolled into Microsoft Endpoint Manager (Intune) and have a Compliance Policy Assigned to them that evaluates the device and if it meets the criteria, it will return as compliant.

Intune is licensed as a stand-alone Azure service and has it's own licensing design. Details on it here - https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-intune-setup

A 3rd party MDM solution can also be used if it has integration with Azure Active Directory to report the compliance state.

MS Techie 2,751 Reputation points

2022-11-15T15:56:25.02+00:00

I did this exclude filtered devices option , it excludes MFA everywhere (even on devices not Azure AD Joined)

Basically i want to exclude MFA option only on Azure AD Joined Device and not other devices, but this exclude filter option is disabling MFA even outside the Azure VM.

1) When i check the user signin logs , it shows join type as blank , but actually the Azure VM is Azure AD joined ,as seen from Devices screen . Is it mandatory for the device to be Compliant with Intune for these options to work

As you can see, in the first image i pasted in the beginning of the question, for the last column Registered, it says yes and has a date for it.

2) So can I filter device which are registered? Does this registered column mean, azure ad registered ?

Answer 3

Azdamus 1

Apologies for the confusion, I scrolled by mistake on the "Operator" field and instead of "Equals" I switched to "Not equals". The correct setting there is: "TrustType equals Azure AD Joined" or syntax device.trustType -eq "AzureAD". Then the policy applies only on Azure AD Registered & Hybrid Azure AD Joined devices.

Now I think I understand better your scenario, when you created the VM, you selected the "Login with Azure AD" checkbox, right ?

If that's the case, disregard the former advice and in the "Cloud apps or actions" section of your policy, exclude "Azure Windows VM Sign-In" app. That's it. Official documentation here.

MS Techie 2,751 Reputation points

2022-11-16T15:52:14.56+00:00
i have 2 use case scenarios

Login to https://portal.azure.com from Azure VM ,which is Azure AD joined

Login to https://portal.azure.com from my laptop, which is not in azure and it is not registered or azure AD joined.

My problem is even when i have configured the Excluding filter for device.trustType -eq "AzureAD" , i am observing the same behavior in both the use-cases. It does not ask for MFA in both cases.

so whether i login to the Azure Portal from the VM which is Azure AD joined or whether i login to the azure portal from my laptop (outside of azure VM), the behavior is still the same at both sides . Either it excludes MFA in both usecases when filter is device.trustType -eq "AzureAD" or it includes MFA in both the 2 usecases, when filter is device.trustType -neq "AzureAD"

Ideally it should be different behavior when i have access portal.azure.com from Azure VM joined to Azure AD and from my laptop, which is not in azure., since my conditional policy is configured that way

So my question is for this filter to fire, should the Azure DEVICE be marked as compliant , because when i check the user sign-in logs, i see join type is blank for the user. Ideally it should capture Join Type as Azure AD joined.

Share via

Exclude/Bypass MFA for Azure AD joined Devices

3 answers

Your answer